diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java index 8989ca1e1..121681b44 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java @@ -144,7 +144,10 @@ public class EscapeUtil public static void main(String[] args) { - String html = "alert('11111');"; + String html = ""; + // String html = "ipt>alert(\"XSS\")ipt>"; + // String html = "<123"; + // String html = "123>"; System.out.println(EscapeUtil.clean(html)); System.out.println(EscapeUtil.escape(html)); System.out.println(EscapeUtil.unescape(html)); diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java index 41739569d..3de26bb4b 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java @@ -131,7 +131,7 @@ public final class HTMLFilter vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" }; stripComment = true; encodeQuotes = true; - alwaysMakeTags = true; + alwaysMakeTags = false; } /** @@ -208,7 +208,7 @@ public final class HTMLFilter s = processRemoveBlanks(s); - s = validateEntities(s); + // s = validateEntities(s); return s; } @@ -245,6 +245,7 @@ public final class HTMLFilter // try and form html // s = regexReplace(P_END_ARROW, "", s); + // 不追加结束标签 s = regexReplace(P_BODY_TO_END, "<$1>", s); s = regexReplace(P_XML_CONTENT, "$1<$2", s);